$2,063 Bounty Awarded for Privilege Escalation Vulnerability Patched in User Registration WordPress Plugin


🎉 Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!


On March 9th, 2024, during our second Bug Bounty Extravaganza, we received a submission for a Privilege Escalation vulnerability in User Registration, a WordPress plugin with more than 60,000 active installations. This vulnerability makes it possible for an authenticated attacker to grant themselves administrative privileges by updating the default user role.

Props to Stiofan who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $2,063.00 for this discovery during our Bug Bounty Program Extravaganza. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.

All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s protection.

We tried to contact WPEverest on March 13, 2024 through their contact form, however, we did not receive a response. On April 9, 2024, we reached out directly to an email address we had from a previous disclosure and received a response the same day. The full disclosure details were then sent on April, 10, 2024. After providing full disclosure details, the developer released a patch on April 15, 2024. We would like to commend WPEverest for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of User Registration, which is version 3.2.0, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin <= 3.1.5 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Affected Plugin: User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin
Plugin Slug: user-registration
Affected Versions: <= 3.1.5
CVE ID: CVE-2024-2417
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Stiofan
Fully Patched Version: 3.2.0
Bounty Award: $2,063.00

The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the form_save_action() function in all versions up to, and including, 3.1.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the registration form and make the default registration role administrator. This subsequently allows the attacker to register an account as an administrator on the site.

Technical Analysis

User Registration is a WordPress plugin, which includes many features, such as a drag and drop registration form builder, with custom fields and unlimited customization options, login form, user profile and much more.

Examining the code reveals that the plugin uses the form_save_action() function in the UR_AJAX class to save the form data and settings. Unfortunately, this function was implemented insecurely, allowing all authenticated users to modify the form, including the registration default user role setting.

public static function form_save_action() {

	try {
		check_ajax_referer( 'ur_form_save_nonce', 'security' );

     if ( ! isset( $_POST['data'] ) || ( isset( $_POST['data'] ) && gettype( wp_unslash( $_POST['data'] ) ) != 'array' ) ) { //phpcs:ignore
			throw new Exception( __( 'post data not set', 'user-registration' ) );
		} elseif ( ! isset( $_POST['data']['form_data'] )
		|| ( isset( $_POST['data']['form_data'] )
     && gettype( wp_unslash( $_POST['data']['form_data'] ) ) != 'string' ) ) { //phpcs:ignore

			throw new Exception( __( 'post data not set', 'user-registration' ) );
		}

		$post_data = json_decode( wp_unslash( $_POST['data']['form_data'] ) ); //phpcs:ignore
		self::sweep_array( $post_data );
$post_data_setting = isset( $_POST['data']['form_setting_data'] ) ? $_POST['data']['form_setting_data'] : array(); //phpcs:ignore
ur_update_form_settings( $post_data_setting, $post_id );

The function includes a nonce check, however, this nonce was available to all authenticated users, like subscribers, on the edit profile page.

The most significant problem and root cause of this vulnerability is the fact that there are no capability checks in the AJAX function. That, combined with the ability for authenticated users to obtain the nonce needed to execute the form_save_action() function, made it possible for authenticated users, such as subscribers, to set the registration form default role to administrator. Ultimately, this makes it possible for the attacker to register a new account as an administrator and completely take over the site.

As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.

Disclosure Timeline

March 9, 2024 – We receive the submission of the Privilege Escalation vulnerability in User Registration via the Wordfence Bug Bounty Program.
March 13, 2024 – We validate the report and confirm the proof-of-concept exploit.
March 13, 2024 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion. We send out initial outreach through the contact form as we did successfully in the past.
April 9, 2024 – After no response, we attempt to contact the vendor using the last known email address.
April 10, 2024 – The vendor confirms the inbox for handling the discussion.
April 10, 2024 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
April 15, 2024 – The fully patched version of the plugin, 3.2.0, is released.

Conclusion

In this blog post, we detailed a Privilege Escalation vulnerability within the User Registration plugin affecting versions 3.1.5 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to elevate their privileges to that of a site administrator which could ultimately lead to complete site compromise. The vulnerability has been fully addressed in version 3.2.0 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of User Registration.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites running the free version of Wordfence, are fully protected against this vulnerability.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

Did you enjoy this post? Share it!

Comments

No Comments